{"id":13589,"date":"2026-06-13T10:03:57","date_gmt":"2026-06-13T10:03:57","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/13\/hackers-use-onyxc2-malware-as-a-service-to-steal-credentials-from-210-applications\/"},"modified":"2026-06-13T10:03:57","modified_gmt":"2026-06-13T10:03:57","slug":"hackers-use-onyxc2-malware-as-a-service-to-steal-credentials-from-210-applications","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/13\/hackers-use-onyxc2-malware-as-a-service-to-steal-credentials-from-210-applications\/","title":{"rendered":"Hackers Use OnyxC2 Malware-as-a-Service to Steal Credentials From 210 Applications"},"content":{"rendered":"<p>    Hackers Use OnyxC2 Malware-as-a-Service to Steal Credentials From 210 Applications<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A new and dangerous credential-stealing tool called OnyxC2 has emerged in the cybercrime underground, showing just how easy it has become for even low-skilled attackers to run a professional hacking operation. <\/p>\n<p class=\"wp-block-paragraph\">Sold as a complete package for $250 a month, the malware gives buyers everything they need to quietly drain login data from victims worldwide. What makes it stand out is the scale of what it targets: over 210 applications and browser extensions in one sweep.<\/p>\n<p class=\"wp-block-paragraph\">OnyxC2 is marketed like legitimate commercial software, complete with a web panel, a payload builder, tiered pricing, and refunds if a build gets flagged. <\/p>\n<p class=\"wp-block-paragraph\">For a monthly fee, buyers get a kit that steals browser credentials, password manager data, two-factor authentication codes, and crypto wallet information. The stolen data is shipped back through an encrypted channel, making it harder for security tools to catch in transit.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.blackfog.com\/inside-onyxc2-the-new-stealer-targeting-210-apps\/\" id=\"https:\/\/www.blackfog.com\/inside-onyxc2-the-new-stealer-targeting-210-apps\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Analysts at\u00a0Blackfog\u00a0identified the malware and published their findings in a report<\/a> shared with Cyber Security News (CSN), revealing the full scope of what OnyxC2 can do and how it evades detection. <\/p>\n<p class=\"wp-block-paragraph\">The research team obtained live builds, ran them in sandbox environments, and confirmed that the tool is actively reaching live command-and-control infrastructure.<\/p>\n<p class=\"wp-block-paragraph\">The malware is written in C++, using assembly code to bypass security rules at the system level. Each build is mutated before delivery to break antivirus signature detection, and the developer claims a 99% evasion rate. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi03QAqe9O6GVAdJB9dgrb9hbvcfnf21CbihE5hNWcIGA-Y7PJOW5Hm7qSopjvAsK-y69FysI6kRE_6yA8bYjbzP_l4CO_EESGQM7C24T3OTXDt5Q0-Wk7Z4ZGwAqoRLd9OOo4hizrdHK6AQnksYGtxyXvh9wRZwt-ayDlK6uSgOB0Se6oOUD71lp-8_7g\/s16000\/OnyxC2%2520dashboard%2520harvest%2520totals%2520%28Source%2520-%2520Blackfog%29.webp?ssl=1\" alt=\"OnyxC2 dashboard harvest totals (Source - Blackfog)\"><figcaption class=\"wp-element-caption\">OnyxC2 dashboard harvest totals (Source \u2013 Blackfog)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">Blackfog\u2019s tests confirmed this: both sample builds submitted to VirusTotal came back clean on first upload, with the malicious component still undetected as of May 30, 2026.<\/p>\n<p class=\"wp-block-paragraph\">The damage potential is very real. One infected machine shown in the panel had already surrendered 55 saved passwords, 4,717 cookies, 719 autofill entries, credit card data, and a crypto wallet, all from a single host. <\/p>\n<p class=\"wp-block-paragraph\">That kind of haul can unlock banking systems, business accounts, and cloud services in one shot.<\/p>\n<h2 id=\"h-hackers-use-onyxc2-malware-as-a-service\" class=\"wp-block-heading\"><strong>Hackers Use OnyxC2 Malware-as-a-Service<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The breadth of OnyxC2\u2019s target list sets it apart from simpler stealers. It reaches 37 Chromium-based browsers and 8 Gecko-based browsers, plus 95 Chromium and 14 Gecko extensions, including 6 dedicated two-factor authentication tools. Even accounts protected by 2FA are not safe from this threat.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg5DO3fzUF91gV4OZ0BChfarRjGUVb_26JHIDV9DvkyPwfW0AMCFwKygGQqlAee1oI8V4TCXF_A57jQLgw9oYHhN-cyWyVbZumfdVbu6-_s42tPx63gjUO2uqua8gDc0wO6vzeOVu-3RRKyfdTcGX1xlBureoxOdu0qGu7QKLFwTPqHoUNjJ1mrvslBCV0\/s16000\/OnyxC2%2520license%2520tiers%2520and%2520pricing%2520%28Source%2520-%2520Blackfog%29.webp?ssl=1\" alt=\"OnyxC2 license tiers and pricing (Source - Blackfog)\"><figcaption class=\"wp-element-caption\">OnyxC2 license tiers and pricing (Source \u2013 Blackfog)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">The stealer also covers 5 password managers, 17 cryptocurrency wallets, 11 FTP clients, and 5 email clients. <a href=\"https:\/\/cybersecuritynews.com\/vidar-malware-targets-browser-credentials-cookies\/\" id=\"149598\" target=\"_blank\" rel=\"noreferrer noopener\">A stealer that grabs password manager data alongside active session cookies<\/a> can access accounts even after a victim changes their password. <\/p>\n<p class=\"wp-block-paragraph\">The FTP and email targets push its reach beyond personal accounts and into business systems that finance and operations teams use every day.<\/p>\n<p class=\"wp-block-paragraph\">Beyond credential theft, OnyxC2 bundles a full remote-access toolkit. Operators can use HVNC to control a hidden browser session, run a keylogger, take screenshots, and manage files remotely. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj3Fny7V5mDx6n6Sv3WGfyhFIoX5kDlKG7p6rUghrRKaNMwAnyjs_Axf0YavB225_saT_vhdYqfYzC2hd9mJeGsfFsZdecjayR-vd2m_coDVZCfQBOM4g6qzyyYxCGZYJFcW2fvPzNzcSdR9wV7gTYvQHTouM8Dq0slQi4miLQ1UvAX5sD0eWXRJPzEjBw\/s16000\/OnyxC2%2520builder%2520with%2520backend%2520path%2520%28Source%2520-%2520Blackfog%29.webp?ssl=1\" alt=\"OnyxC2 builder with backend path (Source - Blackfog)\"><figcaption class=\"wp-element-caption\">OnyxC2 builder with backend path (Source \u2013 Blackfog)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">A reverse SOCKS5 proxy and a built-in Tor tunnel round out the toolkit, letting attackers route traffic anonymously.<\/p>\n<h2 id=\"h-fake-installer-delivery-and-evasion\" class=\"wp-block-heading\"><strong>Fake Installer Delivery and Evasion<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">OnyxC2 reaches victims through fake installer packages disguised as legitimate software downloads. The lures found by researchers included packages mimicking Fling-Standalone, FinePrint, SystemSettings, and fake Windows update files. <\/p>\n<p class=\"wp-block-paragraph\">Each malicious archive is password-protected, helping it slip past automated scanning tools that must open files to inspect them.<\/p>\n<p class=\"wp-block-paragraph\">Inside each fake archive is a two-file package built for DLL sideloading. The first file is a legitimately signed application that Windows trusts without question, and the second is a malicious DLL named to match a library the signed program loads at startup. <\/p>\n<p class=\"wp-block-paragraph\">When the victim runs what looks like an installer, the trusted program unknowingly loads the attacker\u2019s code from the same folder.<\/p>\n<p class=\"wp-block-paragraph\">The malicious DLL is bloated past 120 MB by mimicking a real NVIDIA graphics library, with genuine-looking exported function names embedded inside. <\/p>\n<p class=\"wp-block-paragraph\">Many antivirus scanners skip large files to save time, and the actual payload sits encrypted inside, only decrypting at runtime. <\/p>\n<p class=\"wp-block-paragraph\">Blackfog <a href=\"https:\/\/cybersecuritynews.com\/openclaw-ai-agents-leak-sensitive-data\/\" id=\"144974\" target=\"_blank\" rel=\"noreferrer noopener\">recommends enforcing anti-data-exfiltration controls<\/a> at the endpoint, blocking outbound data transfers at the point of theft rather than relying solely on file scanning.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a5cc2682-c257-4b8e-b347-f97c7dc963e2\/Hackers-Use-OnyxC2-Malware-as-a-Service-to-Steal-Credentials-From-210-Applications.pdf?AWSAccessKeyId=ASIA2F3EMEYESPOWRHBY&amp;Signature=sOXTQicAwgQuM6c5EO7RIQA%2BvUQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEoaCXVzLWVhc3QtMSJHMEUCIQDQrcNJdUd%2BxCM%2FmQiG7zwcXXk8djZcKRYrl1%2BORwVUMgIgH2j62Nl3x1XsEQAMg5LMTBd8lc5QVbyMZpbbuHhUgFwq8wQIExABGgw2OTk3NTMzMDk3MDUiDHrrV9l%2FhsbqcrZxrirQBIDzkm3WWit6ZCFLWwCWLE4QvRjvJPhviv9DKa0oWUpMDfxH8sO4jW4XyoQlSL%2BWeuT6y%2Bx%2FBVpX6DlMq9jT31z3jsW2lBF%2B456SpIUVpYNy7m%2B2OJCBHmJRlJgDaUo%2BksYH8PFNZ4hO2VZ4UiLW4q1n7v0%2FGHxKUQoQoGVuJZ%2Fo7rFFhgkEn%2BaDmypoJNYnYMYSyYz2Mlq%2B8Wjei8mNHcKCPZXY8w3%2FHqRUbHxdzbu8wtpt2eIFWupoPkQDXQ16JsMbya2rJWUIzkcr3lrGKnAWvNrm8T9vlY9fIfBJbQ%2FixaRGduCR9GwuMCkQemLhyRSuN%2F%2BD9NOOkFWHvv5%2FdOGdhmIqIR68fmZn8672KHeCHmkuRnEsTBsApz1L5gCEz6D6jRmqYcvDXLd3jym0%2BJoykiESDReGABRfVQVNl7fMQ7epFK4%2BgIysdK%2BhZYsyIwoR5nueNNOCwXQuheTz%2BQ1YdasUqnvin1xvMgJ3P%2FwGLnV7i45B%2Bffb8DLzHy1KMP9UMioGdJCA%2BebvBpBd2czhlIETFkUCZDIdB8A7QGaWe4Lnubq%2Fi7QkYbpyJ6PVDeq0KOzdZMEP%2F9WenkjM8U2mqZqoKizIna5VGtQTUSMIRKsozeQUrOJ2jb1UAMhdqJBzltXNZxUmD1oyDz6XtY%2FhHhlnA%2FkCoSa9uY3PC771P8qwLlB2y%2FgNy9ZIbsXS90hknJgFssWdXCrw0B2D9aQnSHdUHe%2BVeCKrRlU4pnSTApto0ntjT4opwbFMxQrHnKNXk4gf02UscV9%2FBJilRpEwq6Cv0QY6mAE4QmYf%2B1ouwQK1tTxxTA6hn8S8EXBIwb2dvbNbkWvRCKSrlIWkiG0E86OD%2FfArpEQxdx5bw02mMgbfGQyLgMoskNlBzYypAqon76%2BokWed%2BwTH1xULvOk9p%2FlJdSIIsF6JqHfpbfMF%2BjpSIWA%2BPMeEF5jG0Zk%2FBt1q5LRliIQK5Km7Tnz0kKV6E671aoP6KU2Ab52RbKNZCg%3D%3D&amp;Expires=1781259774\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\" id=\"h-indicators-of-compromise\"><strong>Indicators of Compromise:-<\/strong><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Domain<\/td>\n<td>akmuniverstall.top<\/td>\n<td>C2 and distribution domain (13\/94 detections on VirusTotal)\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a5cc2682-c257-4b8e-b347-f97c7dc963e2\/Hackers-Use-OnyxC2-Malware-as-a-Service-to-Steal-Credentials-From-210-Applications.pdf?AWSAccessKeyId=ASIA2F3EMEYESPOWRHBY&amp;Signature=sOXTQicAwgQuM6c5EO7RIQA%2BvUQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEoaCXVzLWVhc3QtMSJHMEUCIQDQrcNJdUd%2BxCM%2FmQiG7zwcXXk8djZcKRYrl1%2BORwVUMgIgH2j62Nl3x1XsEQAMg5LMTBd8lc5QVbyMZpbbuHhUgFwq8wQIExABGgw2OTk3NTMzMDk3MDUiDHrrV9l%2FhsbqcrZxrirQBIDzkm3WWit6ZCFLWwCWLE4QvRjvJPhviv9DKa0oWUpMDfxH8sO4jW4XyoQlSL%2BWeuT6y%2Bx%2FBVpX6DlMq9jT31z3jsW2lBF%2B456SpIUVpYNy7m%2B2OJCBHmJRlJgDaUo%2BksYH8PFNZ4hO2VZ4UiLW4q1n7v0%2FGHxKUQoQoGVuJZ%2Fo7rFFhgkEn%2BaDmypoJNYnYMYSyYz2Mlq%2B8Wjei8mNHcKCPZXY8w3%2FHqRUbHxdzbu8wtpt2eIFWupoPkQDXQ16JsMbya2rJWUIzkcr3lrGKnAWvNrm8T9vlY9fIfBJbQ%2FixaRGduCR9GwuMCkQemLhyRSuN%2F%2BD9NOOkFWHvv5%2FdOGdhmIqIR68fmZn8672KHeCHmkuRnEsTBsApz1L5gCEz6D6jRmqYcvDXLd3jym0%2BJoykiESDReGABRfVQVNl7fMQ7epFK4%2BgIysdK%2BhZYsyIwoR5nueNNOCwXQuheTz%2BQ1YdasUqnvin1xvMgJ3P%2FwGLnV7i45B%2Bffb8DLzHy1KMP9UMioGdJCA%2BebvBpBd2czhlIETFkUCZDIdB8A7QGaWe4Lnubq%2Fi7QkYbpyJ6PVDeq0KOzdZMEP%2F9WenkjM8U2mqZqoKizIna5VGtQTUSMIRKsozeQUrOJ2jb1UAMhdqJBzltXNZxUmD1oyDz6XtY%2FhHhlnA%2FkCoSa9uY3PC771P8qwLlB2y%2FgNy9ZIbsXS90hknJgFssWdXCrw0B2D9aQnSHdUHe%2BVeCKrRlU4pnSTApto0ntjT4opwbFMxQrHnKNXk4gf02UscV9%2FBJilRpEwq6Cv0QY6mAE4QmYf%2B1ouwQK1tTxxTA6hn8S8EXBIwb2dvbNbkWvRCKSrlIWkiG0E86OD%2FfArpEQxdx5bw02mMgbfGQyLgMoskNlBzYypAqon76%2BokWed%2BwTH1xULvOk9p%2FlJdSIIsF6JqHfpbfMF%2BjpSIWA%2BPMeEF5jG0Zk%2FBt1q5LRliIQK5Km7Tnz0kKV6E671aoP6KU2Ab52RbKNZCg%3D%3D&amp;Expires=1781259774\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>URL Path<\/td>\n<td>\/backend\/api\/app.php<\/td>\n<td>C2 endpoint path written by the builder by default\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a5cc2682-c257-4b8e-b347-f97c7dc963e2\/Hackers-Use-OnyxC2-Malware-as-a-Service-to-Steal-Credentials-From-210-Applications.pdf?AWSAccessKeyId=ASIA2F3EMEYESPOWRHBY&amp;Signature=sOXTQicAwgQuM6c5EO7RIQA%2BvUQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEoaCXVzLWVhc3QtMSJHMEUCIQDQrcNJdUd%2BxCM%2FmQiG7zwcXXk8djZcKRYrl1%2BORwVUMgIgH2j62Nl3x1XsEQAMg5LMTBd8lc5QVbyMZpbbuHhUgFwq8wQIExABGgw2OTk3NTMzMDk3MDUiDHrrV9l%2FhsbqcrZxrirQBIDzkm3WWit6ZCFLWwCWLE4QvRjvJPhviv9DKa0oWUpMDfxH8sO4jW4XyoQlSL%2BWeuT6y%2Bx%2FBVpX6DlMq9jT31z3jsW2lBF%2B456SpIUVpYNy7m%2B2OJCBHmJRlJgDaUo%2BksYH8PFNZ4hO2VZ4UiLW4q1n7v0%2FGHxKUQoQoGVuJZ%2Fo7rFFhgkEn%2BaDmypoJNYnYMYSyYz2Mlq%2B8Wjei8mNHcKCPZXY8w3%2FHqRUbHxdzbu8wtpt2eIFWupoPkQDXQ16JsMbya2rJWUIzkcr3lrGKnAWvNrm8T9vlY9fIfBJbQ%2FixaRGduCR9GwuMCkQemLhyRSuN%2F%2BD9NOOkFWHvv5%2FdOGdhmIqIR68fmZn8672KHeCHmkuRnEsTBsApz1L5gCEz6D6jRmqYcvDXLd3jym0%2BJoykiESDReGABRfVQVNl7fMQ7epFK4%2BgIysdK%2BhZYsyIwoR5nueNNOCwXQuheTz%2BQ1YdasUqnvin1xvMgJ3P%2FwGLnV7i45B%2Bffb8DLzHy1KMP9UMioGdJCA%2BebvBpBd2czhlIETFkUCZDIdB8A7QGaWe4Lnubq%2Fi7QkYbpyJ6PVDeq0KOzdZMEP%2F9WenkjM8U2mqZqoKizIna5VGtQTUSMIRKsozeQUrOJ2jb1UAMhdqJBzltXNZxUmD1oyDz6XtY%2FhHhlnA%2FkCoSa9uY3PC771P8qwLlB2y%2FgNy9ZIbsXS90hknJgFssWdXCrw0B2D9aQnSHdUHe%2BVeCKrRlU4pnSTApto0ntjT4opwbFMxQrHnKNXk4gf02UscV9%2FBJilRpEwq6Cv0QY6mAE4QmYf%2B1ouwQK1tTxxTA6hn8S8EXBIwb2dvbNbkWvRCKSrlIWkiG0E86OD%2FfArpEQxdx5bw02mMgbfGQyLgMoskNlBzYypAqon76%2BokWed%2BwTH1xULvOk9p%2FlJdSIIsF6JqHfpbfMF%2BjpSIWA%2BPMeEF5jG0Zk%2FBt1q5LRliIQK5Km7Tnz0kKV6E671aoP6KU2Ab52RbKNZCg%3D%3D&amp;Expires=1781259774\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>IP Address<\/td>\n<td>104.18.20.213<\/td>\n<td>Cloudflare fronting IP associated with C2 infrastructure\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a5cc2682-c257-4b8e-b347-f97c7dc963e2\/Hackers-Use-OnyxC2-Malware-as-a-Service-to-Steal-Credentials-From-210-Applications.pdf?AWSAccessKeyId=ASIA2F3EMEYESPOWRHBY&amp;Signature=sOXTQicAwgQuM6c5EO7RIQA%2BvUQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEoaCXVzLWVhc3QtMSJHMEUCIQDQrcNJdUd%2BxCM%2FmQiG7zwcXXk8djZcKRYrl1%2BORwVUMgIgH2j62Nl3x1XsEQAMg5LMTBd8lc5QVbyMZpbbuHhUgFwq8wQIExABGgw2OTk3NTMzMDk3MDUiDHrrV9l%2FhsbqcrZxrirQBIDzkm3WWit6ZCFLWwCWLE4QvRjvJPhviv9DKa0oWUpMDfxH8sO4jW4XyoQlSL%2BWeuT6y%2Bx%2FBVpX6DlMq9jT31z3jsW2lBF%2B456SpIUVpYNy7m%2B2OJCBHmJRlJgDaUo%2BksYH8PFNZ4hO2VZ4UiLW4q1n7v0%2FGHxKUQoQoGVuJZ%2Fo7rFFhgkEn%2BaDmypoJNYnYMYSyYz2Mlq%2B8Wjei8mNHcKCPZXY8w3%2FHqRUbHxdzbu8wtpt2eIFWupoPkQDXQ16JsMbya2rJWUIzkcr3lrGKnAWvNrm8T9vlY9fIfBJbQ%2FixaRGduCR9GwuMCkQemLhyRSuN%2F%2BD9NOOkFWHvv5%2FdOGdhmIqIR68fmZn8672KHeCHmkuRnEsTBsApz1L5gCEz6D6jRmqYcvDXLd3jym0%2BJoykiESDReGABRfVQVNl7fMQ7epFK4%2BgIysdK%2BhZYsyIwoR5nueNNOCwXQuheTz%2BQ1YdasUqnvin1xvMgJ3P%2FwGLnV7i45B%2Bffb8DLzHy1KMP9UMioGdJCA%2BebvBpBd2czhlIETFkUCZDIdB8A7QGaWe4Lnubq%2Fi7QkYbpyJ6PVDeq0KOzdZMEP%2F9WenkjM8U2mqZqoKizIna5VGtQTUSMIRKsozeQUrOJ2jb1UAMhdqJBzltXNZxUmD1oyDz6XtY%2FhHhlnA%2FkCoSa9uY3PC771P8qwLlB2y%2FgNy9ZIbsXS90hknJgFssWdXCrw0B2D9aQnSHdUHe%2BVeCKrRlU4pnSTApto0ntjT4opwbFMxQrHnKNXk4gf02UscV9%2FBJilRpEwq6Cv0QY6mAE4QmYf%2B1ouwQK1tTxxTA6hn8S8EXBIwb2dvbNbkWvRCKSrlIWkiG0E86OD%2FfArpEQxdx5bw02mMgbfGQyLgMoskNlBzYypAqon76%2BokWed%2BwTH1xULvOk9p%2FlJdSIIsF6JqHfpbfMF%2BjpSIWA%2BPMeEF5jG0Zk%2FBt1q5LRliIQK5Km7Tnz0kKV6E671aoP6KU2Ab52RbKNZCg%3D%3D&amp;Expires=1781259774\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>IP Address<\/td>\n<td>104.21.46.39<\/td>\n<td>Cloudflare fronting IP associated with C2 infrastructure\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a5cc2682-c257-4b8e-b347-f97c7dc963e2\/Hackers-Use-OnyxC2-Malware-as-a-Service-to-Steal-Credentials-From-210-Applications.pdf?AWSAccessKeyId=ASIA2F3EMEYESPOWRHBY&amp;Signature=sOXTQicAwgQuM6c5EO7RIQA%2BvUQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEoaCXVzLWVhc3QtMSJHMEUCIQDQrcNJdUd%2BxCM%2FmQiG7zwcXXk8djZcKRYrl1%2BORwVUMgIgH2j62Nl3x1XsEQAMg5LMTBd8lc5QVbyMZpbbuHhUgFwq8wQIExABGgw2OTk3NTMzMDk3MDUiDHrrV9l%2FhsbqcrZxrirQBIDzkm3WWit6ZCFLWwCWLE4QvRjvJPhviv9DKa0oWUpMDfxH8sO4jW4XyoQlSL%2BWeuT6y%2Bx%2FBVpX6DlMq9jT31z3jsW2lBF%2B456SpIUVpYNy7m%2B2OJCBHmJRlJgDaUo%2BksYH8PFNZ4hO2VZ4UiLW4q1n7v0%2FGHxKUQoQoGVuJZ%2Fo7rFFhgkEn%2BaDmypoJNYnYMYSyYz2Mlq%2B8Wjei8mNHcKCPZXY8w3%2FHqRUbHxdzbu8wtpt2eIFWupoPkQDXQ16JsMbya2rJWUIzkcr3lrGKnAWvNrm8T9vlY9fIfBJbQ%2FixaRGduCR9GwuMCkQemLhyRSuN%2F%2BD9NOOkFWHvv5%2FdOGdhmIqIR68fmZn8672KHeCHmkuRnEsTBsApz1L5gCEz6D6jRmqYcvDXLd3jym0%2BJoykiESDReGABRfVQVNl7fMQ7epFK4%2BgIysdK%2BhZYsyIwoR5nueNNOCwXQuheTz%2BQ1YdasUqnvin1xvMgJ3P%2FwGLnV7i45B%2Bffb8DLzHy1KMP9UMioGdJCA%2BebvBpBd2czhlIETFkUCZDIdB8A7QGaWe4Lnubq%2Fi7QkYbpyJ6PVDeq0KOzdZMEP%2F9WenkjM8U2mqZqoKizIna5VGtQTUSMIRKsozeQUrOJ2jb1UAMhdqJBzltXNZxUmD1oyDz6XtY%2FhHhlnA%2FkCoSa9uY3PC771P8qwLlB2y%2FgNy9ZIbsXS90hknJgFssWdXCrw0B2D9aQnSHdUHe%2BVeCKrRlU4pnSTApto0ntjT4opwbFMxQrHnKNXk4gf02UscV9%2FBJilRpEwq6Cv0QY6mAE4QmYf%2B1ouwQK1tTxxTA6hn8S8EXBIwb2dvbNbkWvRCKSrlIWkiG0E86OD%2FfArpEQxdx5bw02mMgbfGQyLgMoskNlBzYypAqon76%2BokWed%2BwTH1xULvOk9p%2FlJdSIIsF6JqHfpbfMF%2BjpSIWA%2BPMeEF5jG0Zk%2FBt1q5LRliIQK5Km7Tnz0kKV6E671aoP6KU2Ab52RbKNZCg%3D%3D&amp;Expires=1781259774\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>IP Address<\/td>\n<td>172.67.223.39<\/td>\n<td>Cloudflare fronting IP associated with C2 infrastructure\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a5cc2682-c257-4b8e-b347-f97c7dc963e2\/Hackers-Use-OnyxC2-Malware-as-a-Service-to-Steal-Credentials-From-210-Applications.pdf?AWSAccessKeyId=ASIA2F3EMEYESPOWRHBY&amp;Signature=sOXTQicAwgQuM6c5EO7RIQA%2BvUQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEoaCXVzLWVhc3QtMSJHMEUCIQDQrcNJdUd%2BxCM%2FmQiG7zwcXXk8djZcKRYrl1%2BORwVUMgIgH2j62Nl3x1XsEQAMg5LMTBd8lc5QVbyMZpbbuHhUgFwq8wQIExABGgw2OTk3NTMzMDk3MDUiDHrrV9l%2FhsbqcrZxrirQBIDzkm3WWit6ZCFLWwCWLE4QvRjvJPhviv9DKa0oWUpMDfxH8sO4jW4XyoQlSL%2BWeuT6y%2Bx%2FBVpX6DlMq9jT31z3jsW2lBF%2B456SpIUVpYNy7m%2B2OJCBHmJRlJgDaUo%2BksYH8PFNZ4hO2VZ4UiLW4q1n7v0%2FGHxKUQoQoGVuJZ%2Fo7rFFhgkEn%2BaDmypoJNYnYMYSyYz2Mlq%2B8Wjei8mNHcKCPZXY8w3%2FHqRUbHxdzbu8wtpt2eIFWupoPkQDXQ16JsMbya2rJWUIzkcr3lrGKnAWvNrm8T9vlY9fIfBJbQ%2FixaRGduCR9GwuMCkQemLhyRSuN%2F%2BD9NOOkFWHvv5%2FdOGdhmIqIR68fmZn8672KHeCHmkuRnEsTBsApz1L5gCEz6D6jRmqYcvDXLd3jym0%2BJoykiESDReGABRfVQVNl7fMQ7epFK4%2BgIysdK%2BhZYsyIwoR5nueNNOCwXQuheTz%2BQ1YdasUqnvin1xvMgJ3P%2FwGLnV7i45B%2Bffb8DLzHy1KMP9UMioGdJCA%2BebvBpBd2czhlIETFkUCZDIdB8A7QGaWe4Lnubq%2Fi7QkYbpyJ6PVDeq0KOzdZMEP%2F9WenkjM8U2mqZqoKizIna5VGtQTUSMIRKsozeQUrOJ2jb1UAMhdqJBzltXNZxUmD1oyDz6XtY%2FhHhlnA%2FkCoSa9uY3PC771P8qwLlB2y%2FgNy9ZIbsXS90hknJgFssWdXCrw0B2D9aQnSHdUHe%2BVeCKrRlU4pnSTApto0ntjT4opwbFMxQrHnKNXk4gf02UscV9%2FBJilRpEwq6Cv0QY6mAE4QmYf%2B1ouwQK1tTxxTA6hn8S8EXBIwb2dvbNbkWvRCKSrlIWkiG0E86OD%2FfArpEQxdx5bw02mMgbfGQyLgMoskNlBzYypAqon76%2BokWed%2BwTH1xULvOk9p%2FlJdSIIsF6JqHfpbfMF%2BjpSIWA%2BPMeEF5jG0Zk%2FBt1q5LRliIQK5Km7Tnz0kKV6E671aoP6KU2Ab52RbKNZCg%3D%3D&amp;Expires=1781259774\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>41999a3d0da035ff8068905c90235ea50121329cb0661e38d745974ebf5e3ae2<\/td>\n<td>Signed sideload host executable (Setup_File_75.593.2113.exe \/ Setup_File_27.430.4673.exe); 0\/71 detections\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a5cc2682-c257-4b8e-b347-f97c7dc963e2\/Hackers-Use-OnyxC2-Malware-as-a-Service-to-Steal-Credentials-From-210-Applications.pdf?AWSAccessKeyId=ASIA2F3EMEYESPOWRHBY&amp;Signature=sOXTQicAwgQuM6c5EO7RIQA%2BvUQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEoaCXVzLWVhc3QtMSJHMEUCIQDQrcNJdUd%2BxCM%2FmQiG7zwcXXk8djZcKRYrl1%2BORwVUMgIgH2j62Nl3x1XsEQAMg5LMTBd8lc5QVbyMZpbbuHhUgFwq8wQIExABGgw2OTk3NTMzMDk3MDUiDHrrV9l%2FhsbqcrZxrirQBIDzkm3WWit6ZCFLWwCWLE4QvRjvJPhviv9DKa0oWUpMDfxH8sO4jW4XyoQlSL%2BWeuT6y%2Bx%2FBVpX6DlMq9jT31z3jsW2lBF%2B456SpIUVpYNy7m%2B2OJCBHmJRlJgDaUo%2BksYH8PFNZ4hO2VZ4UiLW4q1n7v0%2FGHxKUQoQoGVuJZ%2Fo7rFFhgkEn%2BaDmypoJNYnYMYSyYz2Mlq%2B8Wjei8mNHcKCPZXY8w3%2FHqRUbHxdzbu8wtpt2eIFWupoPkQDXQ16JsMbya2rJWUIzkcr3lrGKnAWvNrm8T9vlY9fIfBJbQ%2FixaRGduCR9GwuMCkQemLhyRSuN%2F%2BD9NOOkFWHvv5%2FdOGdhmIqIR68fmZn8672KHeCHmkuRnEsTBsApz1L5gCEz6D6jRmqYcvDXLd3jym0%2BJoykiESDReGABRfVQVNl7fMQ7epFK4%2BgIysdK%2BhZYsyIwoR5nueNNOCwXQuheTz%2BQ1YdasUqnvin1xvMgJ3P%2FwGLnV7i45B%2Bffb8DLzHy1KMP9UMioGdJCA%2BebvBpBd2czhlIETFkUCZDIdB8A7QGaWe4Lnubq%2Fi7QkYbpyJ6PVDeq0KOzdZMEP%2F9WenkjM8U2mqZqoKizIna5VGtQTUSMIRKsozeQUrOJ2jb1UAMhdqJBzltXNZxUmD1oyDz6XtY%2FhHhlnA%2FkCoSa9uY3PC771P8qwLlB2y%2FgNy9ZIbsXS90hknJgFssWdXCrw0B2D9aQnSHdUHe%2BVeCKrRlU4pnSTApto0ntjT4opwbFMxQrHnKNXk4gf02UscV9%2FBJilRpEwq6Cv0QY6mAE4QmYf%2B1ouwQK1tTxxTA6hn8S8EXBIwb2dvbNbkWvRCKSrlIWkiG0E86OD%2FfArpEQxdx5bw02mMgbfGQyLgMoskNlBzYypAqon76%2BokWed%2BwTH1xULvOk9p%2FlJdSIIsF6JqHfpbfMF%2BjpSIWA%2BPMeEF5jG0Zk%2FBt1q5LRliIQK5Km7Tnz0kKV6E671aoP6KU2Ab52RbKNZCg%3D%3D&amp;Expires=1781259774\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>78945c844fc23dd3446cf17987edeeb6cc21986820c92df82a126af24a5a38d1<\/td>\n<td>Malicious DLL (borlndmm.dll) \u2014 Build 1\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a5cc2682-c257-4b8e-b347-f97c7dc963e2\/Hackers-Use-OnyxC2-Malware-as-a-Service-to-Steal-Credentials-From-210-Applications.pdf?AWSAccessKeyId=ASIA2F3EMEYESPOWRHBY&amp;Signature=sOXTQicAwgQuM6c5EO7RIQA%2BvUQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEoaCXVzLWVhc3QtMSJHMEUCIQDQrcNJdUd%2BxCM%2FmQiG7zwcXXk8djZcKRYrl1%2BORwVUMgIgH2j62Nl3x1XsEQAMg5LMTBd8lc5QVbyMZpbbuHhUgFwq8wQIExABGgw2OTk3NTMzMDk3MDUiDHrrV9l%2FhsbqcrZxrirQBIDzkm3WWit6ZCFLWwCWLE4QvRjvJPhviv9DKa0oWUpMDfxH8sO4jW4XyoQlSL%2BWeuT6y%2Bx%2FBVpX6DlMq9jT31z3jsW2lBF%2B456SpIUVpYNy7m%2B2OJCBHmJRlJgDaUo%2BksYH8PFNZ4hO2VZ4UiLW4q1n7v0%2FGHxKUQoQoGVuJZ%2Fo7rFFhgkEn%2BaDmypoJNYnYMYSyYz2Mlq%2B8Wjei8mNHcKCPZXY8w3%2FHqRUbHxdzbu8wtpt2eIFWupoPkQDXQ16JsMbya2rJWUIzkcr3lrGKnAWvNrm8T9vlY9fIfBJbQ%2FixaRGduCR9GwuMCkQemLhyRSuN%2F%2BD9NOOkFWHvv5%2FdOGdhmIqIR68fmZn8672KHeCHmkuRnEsTBsApz1L5gCEz6D6jRmqYcvDXLd3jym0%2BJoykiESDReGABRfVQVNl7fMQ7epFK4%2BgIysdK%2BhZYsyIwoR5nueNNOCwXQuheTz%2BQ1YdasUqnvin1xvMgJ3P%2FwGLnV7i45B%2Bffb8DLzHy1KMP9UMioGdJCA%2BebvBpBd2czhlIETFkUCZDIdB8A7QGaWe4Lnubq%2Fi7QkYbpyJ6PVDeq0KOzdZMEP%2F9WenkjM8U2mqZqoKizIna5VGtQTUSMIRKsozeQUrOJ2jb1UAMhdqJBzltXNZxUmD1oyDz6XtY%2FhHhlnA%2FkCoSa9uY3PC771P8qwLlB2y%2FgNy9ZIbsXS90hknJgFssWdXCrw0B2D9aQnSHdUHe%2BVeCKrRlU4pnSTApto0ntjT4opwbFMxQrHnKNXk4gf02UscV9%2FBJilRpEwq6Cv0QY6mAE4QmYf%2B1ouwQK1tTxxTA6hn8S8EXBIwb2dvbNbkWvRCKSrlIWkiG0E86OD%2FfArpEQxdx5bw02mMgbfGQyLgMoskNlBzYypAqon76%2BokWed%2BwTH1xULvOk9p%2FlJdSIIsF6JqHfpbfMF%2BjpSIWA%2BPMeEF5jG0Zk%2FBt1q5LRliIQK5Km7Tnz0kKV6E671aoP6KU2Ab52RbKNZCg%3D%3D&amp;Expires=1781259774\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>d89bb4b23a67814ef511e4e9dda7ad36fa519a322fa7c25ea451c7dd7ef61e54<\/td>\n<td>Malicious DLL (borlndmm.dll) \u2014 Build 2\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a5cc2682-c257-4b8e-b347-f97c7dc963e2\/Hackers-Use-OnyxC2-Malware-as-a-Service-to-Steal-Credentials-From-210-Applications.pdf?AWSAccessKeyId=ASIA2F3EMEYESPOWRHBY&amp;Signature=sOXTQicAwgQuM6c5EO7RIQA%2BvUQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEoaCXVzLWVhc3QtMSJHMEUCIQDQrcNJdUd%2BxCM%2FmQiG7zwcXXk8djZcKRYrl1%2BORwVUMgIgH2j62Nl3x1XsEQAMg5LMTBd8lc5QVbyMZpbbuHhUgFwq8wQIExABGgw2OTk3NTMzMDk3MDUiDHrrV9l%2FhsbqcrZxrirQBIDzkm3WWit6ZCFLWwCWLE4QvRjvJPhviv9DKa0oWUpMDfxH8sO4jW4XyoQlSL%2BWeuT6y%2Bx%2FBVpX6DlMq9jT31z3jsW2lBF%2B456SpIUVpYNy7m%2B2OJCBHmJRlJgDaUo%2BksYH8PFNZ4hO2VZ4UiLW4q1n7v0%2FGHxKUQoQoGVuJZ%2Fo7rFFhgkEn%2BaDmypoJNYnYMYSyYz2Mlq%2B8Wjei8mNHcKCPZXY8w3%2FHqRUbHxdzbu8wtpt2eIFWupoPkQDXQ16JsMbya2rJWUIzkcr3lrGKnAWvNrm8T9vlY9fIfBJbQ%2FixaRGduCR9GwuMCkQemLhyRSuN%2F%2BD9NOOkFWHvv5%2FdOGdhmIqIR68fmZn8672KHeCHmkuRnEsTBsApz1L5gCEz6D6jRmqYcvDXLd3jym0%2BJoykiESDReGABRfVQVNl7fMQ7epFK4%2BgIysdK%2BhZYsyIwoR5nueNNOCwXQuheTz%2BQ1YdasUqnvin1xvMgJ3P%2FwGLnV7i45B%2Bffb8DLzHy1KMP9UMioGdJCA%2BebvBpBd2czhlIETFkUCZDIdB8A7QGaWe4Lnubq%2Fi7QkYbpyJ6PVDeq0KOzdZMEP%2F9WenkjM8U2mqZqoKizIna5VGtQTUSMIRKsozeQUrOJ2jb1UAMhdqJBzltXNZxUmD1oyDz6XtY%2FhHhlnA%2FkCoSa9uY3PC771P8qwLlB2y%2FgNy9ZIbsXS90hknJgFssWdXCrw0B2D9aQnSHdUHe%2BVeCKrRlU4pnSTApto0ntjT4opwbFMxQrHnKNXk4gf02UscV9%2FBJilRpEwq6Cv0QY6mAE4QmYf%2B1ouwQK1tTxxTA6hn8S8EXBIwb2dvbNbkWvRCKSrlIWkiG0E86OD%2FfArpEQxdx5bw02mMgbfGQyLgMoskNlBzYypAqon76%2BokWed%2BwTH1xULvOk9p%2FlJdSIIsF6JqHfpbfMF%2BjpSIWA%2BPMeEF5jG0Zk%2FBt1q5LRliIQK5Km7Tnz0kKV6E671aoP6KU2Ab52RbKNZCg%3D%3D&amp;Expires=1781259774\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>f6e4b09ef788adef3f65fd2b99da8f5be5391be29471676dc07040a56c8fdfab<\/td>\n<td>Delivery archive (password-protected ZIP)\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a5cc2682-c257-4b8e-b347-f97c7dc963e2\/Hackers-Use-OnyxC2-Malware-as-a-Service-to-Steal-Credentials-From-210-Applications.pdf?AWSAccessKeyId=ASIA2F3EMEYESPOWRHBY&amp;Signature=sOXTQicAwgQuM6c5EO7RIQA%2BvUQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEoaCXVzLWVhc3QtMSJHMEUCIQDQrcNJdUd%2BxCM%2FmQiG7zwcXXk8djZcKRYrl1%2BORwVUMgIgH2j62Nl3x1XsEQAMg5LMTBd8lc5QVbyMZpbbuHhUgFwq8wQIExABGgw2OTk3NTMzMDk3MDUiDHrrV9l%2FhsbqcrZxrirQBIDzkm3WWit6ZCFLWwCWLE4QvRjvJPhviv9DKa0oWUpMDfxH8sO4jW4XyoQlSL%2BWeuT6y%2Bx%2FBVpX6DlMq9jT31z3jsW2lBF%2B456SpIUVpYNy7m%2B2OJCBHmJRlJgDaUo%2BksYH8PFNZ4hO2VZ4UiLW4q1n7v0%2FGHxKUQoQoGVuJZ%2Fo7rFFhgkEn%2BaDmypoJNYnYMYSyYz2Mlq%2B8Wjei8mNHcKCPZXY8w3%2FHqRUbHxdzbu8wtpt2eIFWupoPkQDXQ16JsMbya2rJWUIzkcr3lrGKnAWvNrm8T9vlY9fIfBJbQ%2FixaRGduCR9GwuMCkQemLhyRSuN%2F%2BD9NOOkFWHvv5%2FdOGdhmIqIR68fmZn8672KHeCHmkuRnEsTBsApz1L5gCEz6D6jRmqYcvDXLd3jym0%2BJoykiESDReGABRfVQVNl7fMQ7epFK4%2BgIysdK%2BhZYsyIwoR5nueNNOCwXQuheTz%2BQ1YdasUqnvin1xvMgJ3P%2FwGLnV7i45B%2Bffb8DLzHy1KMP9UMioGdJCA%2BebvBpBd2czhlIETFkUCZDIdB8A7QGaWe4Lnubq%2Fi7QkYbpyJ6PVDeq0KOzdZMEP%2F9WenkjM8U2mqZqoKizIna5VGtQTUSMIRKsozeQUrOJ2jb1UAMhdqJBzltXNZxUmD1oyDz6XtY%2FhHhlnA%2FkCoSa9uY3PC771P8qwLlB2y%2FgNy9ZIbsXS90hknJgFssWdXCrw0B2D9aQnSHdUHe%2BVeCKrRlU4pnSTApto0ntjT4opwbFMxQrHnKNXk4gf02UscV9%2FBJilRpEwq6Cv0QY6mAE4QmYf%2B1ouwQK1tTxxTA6hn8S8EXBIwb2dvbNbkWvRCKSrlIWkiG0E86OD%2FfArpEQxdx5bw02mMgbfGQyLgMoskNlBzYypAqon76%2BokWed%2BwTH1xULvOk9p%2FlJdSIIsF6JqHfpbfMF%2BjpSIWA%2BPMeEF5jG0Zk%2FBt1q5LRliIQK5Km7Tnz0kKV6E671aoP6KU2Ab52RbKNZCg%3D%3D&amp;Expires=1781259774\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Filename<\/td>\n<td>Fling-Standalone*, FinePrint*, SystemSettings.exe<\/td>\n<td>Lure filenames used in fake installer packages\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a5cc2682-c257-4b8e-b347-f97c7dc963e2\/Hackers-Use-OnyxC2-Malware-as-a-Service-to-Steal-Credentials-From-210-Applications.pdf?AWSAccessKeyId=ASIA2F3EMEYESPOWRHBY&amp;Signature=sOXTQicAwgQuM6c5EO7RIQA%2BvUQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEoaCXVzLWVhc3QtMSJHMEUCIQDQrcNJdUd%2BxCM%2FmQiG7zwcXXk8djZcKRYrl1%2BORwVUMgIgH2j62Nl3x1XsEQAMg5LMTBd8lc5QVbyMZpbbuHhUgFwq8wQIExABGgw2OTk3NTMzMDk3MDUiDHrrV9l%2FhsbqcrZxrirQBIDzkm3WWit6ZCFLWwCWLE4QvRjvJPhviv9DKa0oWUpMDfxH8sO4jW4XyoQlSL%2BWeuT6y%2Bx%2FBVpX6DlMq9jT31z3jsW2lBF%2B456SpIUVpYNy7m%2B2OJCBHmJRlJgDaUo%2BksYH8PFNZ4hO2VZ4UiLW4q1n7v0%2FGHxKUQoQoGVuJZ%2Fo7rFFhgkEn%2BaDmypoJNYnYMYSyYz2Mlq%2B8Wjei8mNHcKCPZXY8w3%2FHqRUbHxdzbu8wtpt2eIFWupoPkQDXQ16JsMbya2rJWUIzkcr3lrGKnAWvNrm8T9vlY9fIfBJbQ%2FixaRGduCR9GwuMCkQemLhyRSuN%2F%2BD9NOOkFWHvv5%2FdOGdhmIqIR68fmZn8672KHeCHmkuRnEsTBsApz1L5gCEz6D6jRmqYcvDXLd3jym0%2BJoykiESDReGABRfVQVNl7fMQ7epFK4%2BgIysdK%2BhZYsyIwoR5nueNNOCwXQuheTz%2BQ1YdasUqnvin1xvMgJ3P%2FwGLnV7i45B%2Bffb8DLzHy1KMP9UMioGdJCA%2BebvBpBd2czhlIETFkUCZDIdB8A7QGaWe4Lnubq%2Fi7QkYbpyJ6PVDeq0KOzdZMEP%2F9WenkjM8U2mqZqoKizIna5VGtQTUSMIRKsozeQUrOJ2jb1UAMhdqJBzltXNZxUmD1oyDz6XtY%2FhHhlnA%2FkCoSa9uY3PC771P8qwLlB2y%2FgNy9ZIbsXS90hknJgFssWdXCrw0B2D9aQnSHdUHe%2BVeCKrRlU4pnSTApto0ntjT4opwbFMxQrHnKNXk4gf02UscV9%2FBJilRpEwq6Cv0QY6mAE4QmYf%2B1ouwQK1tTxxTA6hn8S8EXBIwb2dvbNbkWvRCKSrlIWkiG0E86OD%2FfArpEQxdx5bw02mMgbfGQyLgMoskNlBzYypAqon76%2BokWed%2BwTH1xULvOk9p%2FlJdSIIsF6JqHfpbfMF%2BjpSIWA%2BPMeEF5jG0Zk%2FBt1q5LRliIQK5Km7Tnz0kKV6E671aoP6KU2Ab52RbKNZCg%3D%3D&amp;Expires=1781259774\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Filename<\/td>\n<td>Fake Windows update ZIPs<\/td>\n<td>Additional lure packages used in distribution campaign\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a5cc2682-c257-4b8e-b347-f97c7dc963e2\/Hackers-Use-OnyxC2-Malware-as-a-Service-to-Steal-Credentials-From-210-Applications.pdf?AWSAccessKeyId=ASIA2F3EMEYESPOWRHBY&amp;Signature=sOXTQicAwgQuM6c5EO7RIQA%2BvUQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEoaCXVzLWVhc3QtMSJHMEUCIQDQrcNJdUd%2BxCM%2FmQiG7zwcXXk8djZcKRYrl1%2BORwVUMgIgH2j62Nl3x1XsEQAMg5LMTBd8lc5QVbyMZpbbuHhUgFwq8wQIExABGgw2OTk3NTMzMDk3MDUiDHrrV9l%2FhsbqcrZxrirQBIDzkm3WWit6ZCFLWwCWLE4QvRjvJPhviv9DKa0oWUpMDfxH8sO4jW4XyoQlSL%2BWeuT6y%2Bx%2FBVpX6DlMq9jT31z3jsW2lBF%2B456SpIUVpYNy7m%2B2OJCBHmJRlJgDaUo%2BksYH8PFNZ4hO2VZ4UiLW4q1n7v0%2FGHxKUQoQoGVuJZ%2Fo7rFFhgkEn%2BaDmypoJNYnYMYSyYz2Mlq%2B8Wjei8mNHcKCPZXY8w3%2FHqRUbHxdzbu8wtpt2eIFWupoPkQDXQ16JsMbya2rJWUIzkcr3lrGKnAWvNrm8T9vlY9fIfBJbQ%2FixaRGduCR9GwuMCkQemLhyRSuN%2F%2BD9NOOkFWHvv5%2FdOGdhmIqIR68fmZn8672KHeCHmkuRnEsTBsApz1L5gCEz6D6jRmqYcvDXLd3jym0%2BJoykiESDReGABRfVQVNl7fMQ7epFK4%2BgIysdK%2BhZYsyIwoR5nueNNOCwXQuheTz%2BQ1YdasUqnvin1xvMgJ3P%2FwGLnV7i45B%2Bffb8DLzHy1KMP9UMioGdJCA%2BebvBpBd2czhlIETFkUCZDIdB8A7QGaWe4Lnubq%2Fi7QkYbpyJ6PVDeq0KOzdZMEP%2F9WenkjM8U2mqZqoKizIna5VGtQTUSMIRKsozeQUrOJ2jb1UAMhdqJBzltXNZxUmD1oyDz6XtY%2FhHhlnA%2FkCoSa9uY3PC771P8qwLlB2y%2FgNy9ZIbsXS90hknJgFssWdXCrw0B2D9aQnSHdUHe%2BVeCKrRlU4pnSTApto0ntjT4opwbFMxQrHnKNXk4gf02UscV9%2FBJilRpEwq6Cv0QY6mAE4QmYf%2B1ouwQK1tTxxTA6hn8S8EXBIwb2dvbNbkWvRCKSrlIWkiG0E86OD%2FfArpEQxdx5bw02mMgbfGQyLgMoskNlBzYypAqon76%2BokWed%2BwTH1xULvOk9p%2FlJdSIIsF6JqHfpbfMF%2BjpSIWA%2BPMeEF5jG0Zk%2FBt1q5LRliIQK5Km7Tnz0kKV6E671aoP6KU2Ab52RbKNZCg%3D%3D&amp;Expires=1781259774\"><\/a>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 90%,rgb(169,184,195) 100%)\"><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong> <strong><strong><a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener\">Google<\/a><\/strong><\/strong>.<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/hackers-use-onyxc2-malware-as-a-service\/\">Hackers Use OnyxC2 Malware-as-a-Service to Steal Credentials From 210 Applications<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/hackers-use-onyxc2-malware-as-a-service\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers Use OnyxC2 Malware-as-a-Service to Steal Credentials From 210 Applications A new and dangerous credential-stealing tool called OnyxC2 has emerged in the cybercrime underground, showing just how easy it has become for even low-skilled attackers to run a professional hacking operation. Sold as a complete package for $250 a month, the malware gives buyers everything [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-13589","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13589"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13589"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13589\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13589"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13589"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13589"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}